rails3.rb

abort "Please run using test/test.rb" unless defined? BrakemanTester

Rails3 = BrakemanTester.run_scan "rails3", "Rails 3", :rails3 => true,
  :config_file => File.join(TEST_PATH, "apps", "rails3", "config", "brakeman.yml")

class Rails3Tests < Test::Unit::TestCase
  include BrakemanTester::FindWarning
  include BrakemanTester::CheckExpected
  
  def report
    Rails3
  end

  def expected
    @expected ||= {
      :controller => 1,
      :model => 8,
      :template => 38,
      :generic => 70
    }

    if RUBY_PLATFORM == 'java'
      @expected[:generic] += 1
    end

    @expected
  end

  def test_no_errors
    assert_equal 0, report[:errors].length
  end

  def test_config_sanity
    assert_equal 'utf-8', report[:config][:rails][:encoding].value
  end

  def test_eval_params
    assert_warning :type => :warning,
      :warning_code => 13,
      :fingerprint => "4efdd73fb759135f5980b5da1d9804aa4eb5c7475eabfd0f0cf41299d1d7ec42",
      :warning_type => "Dangerous Eval",
      :line => 40,
      :message => /^User input in eval near line 40: eval\(pa/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_class_eval_false_positive
    assert_no_warning :type => :warning,
      :warning_type => "Dangerous Eval",
      :line => 13,
      :message => /^User input in eval/,
      :confidence => 0,
      :file => /account\.rb/
  end

  def test_command_injection_params_interpolation
    assert_warning :type => :warning,
      :warning_code => 14,
      :fingerprint => "eb5287a6638bce4be342627db12d03f1e5b51175ed13549920921e3659c21df4",
      :warning_type => "Command Injection",
      :line => 34,
      :message => /^Possible command injection near line 34:/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_command_injection_system_params
    assert_warning :type => :warning,
      :warning_type => "Command Injection",
      :line => 36,
      :message => /^Possible command injection near line 36:/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_command_injection_non_user_input_backticks
    assert_warning :type => :warning,
      :warning_type => "Command Injection",
      :line => 48,
      :message => /^Possible\ command\ injection/,
      :confidence => 1,
      :file => /other_controller\.rb/
  end

  def test_command_injection_non_user_input_system
    assert_warning :type => :warning,
      :warning_type => "Command Injection",
      :line => 49,
      :message => /^Possible\ command\ injection/,
      :confidence => 1,
      :file => /other_controller\.rb/
  end

  def test_command_injection_capture2
    assert_warning :type => :warning,
      :warning_code => 14,
      :fingerprint => "744cb371d69e757edd75bf6d58c610e3e813ff2b75b353c4c89c67274e4a35bb",
      :warning_type => "Command Injection",
      :line => 146,
      :message => /^Possible\ command\ injection/,
      :confidence => 0,
      :relative_path => "app/controllers/home_controller.rb"
  end

  def test_command_injection_capture2e
    assert_warning :type => :warning,
      :warning_code => 14,
      :fingerprint => "521c0a714d14ae878305ce737a2bdd5897dcea154c0622b14806ed6e6c60f526",
      :warning_type => "Command Injection",
      :line => 147,
      :message => /^Possible\ command\ injection/,
      :confidence => 0,
      :relative_path => "app/controllers/home_controller.rb"
  end

  def test_command_injection_capture3
    assert_warning :type => :warning,
      :warning_code => 14,
      :fingerprint => "b75a4b21f55912860d675ac300de862f6b2050688b32f745ea8944832e5e699f",
      :warning_type => "Command Injection",
      :line => 148,
      :message => /^Possible\ command\ injection/,
      :confidence => 0,
      :relative_path => "app/controllers/home_controller.rb"
  end

  def test_command_injection_pipeline
    assert_warning :type => :warning,
      :warning_code => 14,
      :fingerprint => "a72b42173ccbc912f022e73a37afc57b8099a529a9f28ebd9e3e771ad384b81c",
      :warning_type => "Command Injection",
      :line => 149,
      :message => /^Possible\ command\ injection/,
      :confidence => 0,
      :relative_path => "app/controllers/home_controller.rb"
  end

  def test_command_injection_pipeline_r
    assert_warning :type => :warning,
      :warning_code => 14,
      :fingerprint => "987aad17f377a6101d5bd3e1611ae3716b276f319c3f91b69efd93717d993ea7",
      :warning_type => "Command Injection",
      :line => 150,
      :message => /^Possible\ command\ injection/,
      :confidence => 0,
      :relative_path => "app/controllers/home_controller.rb"
  end

  def test_command_injection_pipeline_rw
    assert_warning :type => :warning,
      :warning_code => 14,
      :fingerprint => "02485597e19623e805dfa48a797f6f453d854f87ea03e51330494bf671bf5f68",
      :warning_type => "Command Injection",
      :line => 151,
      :message => /^Possible\ command\ injection/,
      :confidence => 0,
      :relative_path => "app/controllers/home_controller.rb"
  end

  def test_command_injection_pipeline_start
    assert_warning :type => :warning,
      :warning_code => 14,
      :fingerprint => "c38ddfa0340fcaaa2a626de722a7784a0448fce01b58601c9c159113d1ce6e5f",
      :warning_type => "Command Injection",
      :line => 152,
      :message => /^Possible\ command\ injection/,
      :confidence => 0,
      :relative_path => "app/controllers/home_controller.rb"
  end

  def test_command_injection_spawn
    assert_warning :type => :warning,
      :warning_code => 14,
      :fingerprint => "6b25cb3fa42bb234319ddf690a164eda038b6f000e501fbfa872fb5fa627609b",
      :warning_type => "Command Injection",
      :line => 153,
      :message => /^Possible\ command\ injection/,
      :confidence => 0,
      :relative_path => "app/controllers/home_controller.rb"
  end

  def test_command_injection_posix_spawn
    assert_warning :type => :warning,
      :warning_code => 14,
      :fingerprint => "678ea7e0c73c91df335247b2470678dd23dfe66f049add9c783e3de4fb6e5046",
      :warning_type => "Command Injection",
      :line => 154,
      :message => /^Possible\ command\ injection/,
      :confidence => 0,
      :relative_path => "app/controllers/home_controller.rb"
  end

  def test_file_access_concatenation
    assert_warning :type => :warning,
      :warning_type => "File Access",
      :line => 24,
      :message => /^Parameter value used in file name near l/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_file_access_load
    assert_warning :type => :warning,
      :warning_type => "File Access",
      :line => 67,
      :message => /^Parameter value used in file name near l/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_file_access_yaml_load
    assert_no_warning :type => :warning,
      :warning_type => "File Access",
      :line => 106,
      :message => /^Parameter\ value\ used\ in\ file\ name/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_file_access_yaml_parse_file
    assert_warning :type => :warning,
      :warning_type => "File Access",
      :line => 109,
      :message => /^Parameter\ value\ used\ in\ file\ name/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_mass_assignment
    assert_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 54,
      :message => /^Unprotected mass assignment near line 54/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_protected_mass_assignment
    assert_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 43,
      :message => /^Unprotected mass assignment near line 43: Product.new/,
      :confidence => 1,
      :file => /products_controller\.rb/
  end

  def test_protected_mass_assignment_update
    assert_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 62,
      :message => /^Unprotected mass assignment near line 62: Product.find/,
      :confidence => 1,
      :file => /products_controller\.rb/
  end

  def test_update_attribute_no_mass_assignment
    assert_no_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 26,
      :message => /^Unprotected mass assignment near line 26/,
      :confidence => 0,
      :file => /other_controller\.rb/
  end

  def test_redirect
    assert_warning :type => :warning,
      :warning_type => "Redirect",
      :line => 45,
      :message => /^Possible unprotected redirect near line /,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_redirect_to_model_instance
    assert_no_warning :type => :warning,
      :warning_type => "Redirect",
      :line => 63,
      :message => /^Possible unprotected redirect near line 63: redirect_to/,
      :confidence => 2,
      :file => /products_controller\.rb/
  end

  def test_redirect_only_path_in_wrong_argument
    assert_warning :type => :warning,
      :warning_type => "Redirect",
      :line => 77,
      :message => /^Possible unprotected redirect near line 77: redirect_to\(params\[/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_redirect_url_for_not_only_path
    assert_warning :type => :warning,
      :warning_type => "Redirect",
      :line => 83,
      :message => /^Possible unprotected redirect near line 83: redirect_to\(url_for/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_render_path
    assert_warning :type => :warning,
      :warning_type => "Dynamic Render Path",
      :line => 63,
      :message => /^Render path contains parameter value near line 63: render/,
      :confidence => 1,
      :file => /home_controller\.rb/
  end

  def test_file_access_send_file
    assert_warning :type => :warning,
      :warning_type => "File Access",
      :line => 21,
      :message => /^Parameter value used in file name near l/,
      :confidence => 0,
      :file => /other_controller\.rb/
  end

  def test_rails_cve_2012_2660
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",
      :message => /CVE-2012-2660/,
      :confidence => 0,
      :file => /Gemfile/
  end

  def test_rails_cve_2012_2661
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",
      :message => /CVE-2012-2661/,
      :confidence => 0,
      :file => /Gemfile/
  end

  def test_rails_cve_2012_2695
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",
      :message => /CVE-2012-2695/,
      :confidence => 0,
      :file => /Gemfile/
  end

  def test_sql_injection_CVE_2012_5664
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",
      :message => /CVE-2012-5664/,
      :confidence => 0,
      :file => /Gemfile/
  end

  def test_sql_injection_find_by_sql
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",
      :line => 28,
      :message => /^Possible SQL injection near line 28: Use/,
      :confidence => 1,
      :file => /home_controller\.rb/
  end

  def test_sql_injection_unknown_variable
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",
      :line => 29,
      :message => /^Possible SQL injection near line 29: Use/,
      :confidence => 1,
      :file => /home_controller\.rb/
  end

  def test_sql_injection_params
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",
      :line => 30,
      :message => /^Possible SQL injection near line 30: Use/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_sql_injection_non_active_record_model
    assert_no_warning :type => :warning,
      :warning_type => "SQL Injection",
      :line => 30,
      :message => /^Possible\ SQL\ injection/,
      :confidence => 0,
      :file => /other_controller\.rb/
  end

  def test_csrf_protection
    assert_warning :type => :controller,
      :warning_type => "Cross-Site Request Forgery",
      :message => /^'protect_from_forgery' should be called /,
      :confidence => 0,
      :file => /application_controller\.rb/
  end

  def test_attribute_restriction
    assert_warning :type => :model,
      :warning_type => "Attribute Restriction",
      :message => /^Mass assignment is not restricted using /,
      :confidence => 0,
      :file => /account, user\.rb/
  end

  def test_attr_protected
    assert_warning :type => :model,
      :warning_type => "Attribute Restriction",
      :message => /^attr_protected is bypassable in/,
      :confidence => 0,
      :file => /product\.rb/
  end

  def test_format_validation
    assert_warning :type => :model,
      :warning_type => "Format Validation",
      :line => 2,
      :message => /^Insufficient validation for 'name' using/,
      :confidence => 0,
      :file => /account\.rb/
  end

  def test_format_validation_with_z
    assert_warning :type => :model,
      :warning_type => "Format Validation",
      :line => 3,
      :message => /^Insufficient validation for 'blah' using/,
      :confidence => 0,
      :file => /account\.rb/
  end

  def test_format_validation_with_a
    assert_warning :type => :model,
      :warning_type => "Format Validation",
      :line => 4,
      :message => /^Insufficient validation for 'something' using/,
      :confidence => 0,
      :file => /account\.rb/
  end

  def test_allowable_validation
    results = find :type => :model,
      :warning_type => "Format Validation",
      :line => 5,
      :message => /^Insufficient validation/,
      :confidence => 0,
      :file => /account\.rb/

    assert_equal 0, results.length, "Validation was allowable, should not raise warning"
  end

  def test_allowable_validation_with_Z
    results = find :type => :model,
      :warning_type => "Format Validation",
      :line => 6,
      :message => /^Insufficient validation/,
      :confidence => 0,
      :file => /account\.rb/

    assert_equal 0, results.length, "Validation was allowable, should not raise warning"
  end

  def test_xss_parameter_direct
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 3,
      :message => /^Unescaped parameter value near line 3: p/,
      :confidence => 0,
      :file => /index\.html\.erb/
  end

  def test_xss_parameter_variable
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 5,
      :message => /^Unescaped parameter value near line 5: p/,
      :confidence => 0,
      :file => /index\.html\.erb/
  end

  def test_xss_parameter_locals
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 4,
      :message => /^Unescaped parameter value near line 4: p/,
      :confidence => 0,
      :file => /test_locals\.html\.erb/
  end

  def test_xss_model_collection
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 1,
      :message => /^Unescaped model attribute near line 1: User.new.first_name/,
      :confidence => 0,
      :file => /_user\.html\.erb/
  end

  def test_xss_model
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 3,
      :message => /^Unescaped model attribute/,
      :confidence => 0,
      :file => /test_model\.html\.erb/
  end

  def test_xss_model_known_bad
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 6,
      :message => /^Unescaped model attribute near line 6: a/,
      :confidence => 0,
      :file => /test_model\.html\.erb/
  end

  def test_model_in_link_to
    assert_no_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 8,
      :message => /^Unescaped model attribute in link_to/,
      :confidence => 0,
      :file => /test_model\.html\.erb/
  end

  def test_encoded_href_parameter_in_link_to
    assert_no_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 12,
      :message => /^Unsafe parameter value in link_to href/,
      :confidence => 0,
      :file => /test_params\.html\.erb/
  end  
 
  def test_href_parameter_in_link_to
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 14,
      :message => /^Unsafe parameter value in link_to href/,
      :confidence => 0,
      :file => /test_params\.html\.erb/
 
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 16,
      :message => /^Unsafe parameter value in link_to href/,
      :confidence => 1,
      :file => /test_params\.html\.erb/      
 
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 18,
      :message => /^Unsafe parameter value in link_to href/,
      :confidence => 1,
      :file => /test_params\.html\.erb/            
  end  

  def test_polymorphic_url_in_href
    assert_no_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 10,
      :message => /^Unsafe parameter value in link_to href/,
      :confidence => 1,
      :file => /test_model\.html\.erb/  

    assert_no_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 12,
      :message => /^Unsafe parameter value in link_to href/,
      :confidence => 1,
      :file => /test_model\.html\.erb/  
  end


  def test_file_access_in_template
    assert_warning :type => :template,
      :warning_type => "File Access",
      :line => 3,
      :message => /^Parameter value used in file name near l/,
      :confidence => 0,
      :file => /test_file_access\.html\.erb/
  end

  def test_xss_cookie_direct
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 3,
      :message => /^Unescaped cookie value/,
      :confidence => 0,
      :file => /test_cookie\.html\.erb/
  end

  def test_xss_filter
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 3,
      :message => /^Unescaped parameter value/,
      :confidence => 0,
      :file => /test_filter\.html\.erb/
  end

  def test_xss_iteration
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 3,
      :message => /^Unescaped model attribute/,
      :confidence => 0,
      :file => /test_iteration\.html\.erb/
  end

  def test_xss_iteration2
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 4,
      :message => /^Unescaped model attribute/,
      :confidence => 0,
      :file => /test_iteration\.html\.erb/
  end

  def test_unescaped_model
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 3, #This should be line 4 :(
      :message => /^Unescaped model attribute/,
      :confidence => 0,
      :file => /test_sql\.html\.erb/
  end

  def test_xss_params
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 4,
      :message => /^Unescaped parameter value/,
      :confidence => 0,
      :file => /test_params\.html\.erb/
  end

  def test_indirect_xss
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 6,
      :message => /^Unescaped parameter value/,
      :confidence => 2,
      :file => /test_params\.html\.erb/
  end

  def test_sql_injection_in_template
    #SQL injection in controllers should not warn again in views
    assert_no_warning :type => :template,
      :warning_type => "SQL Injection",
      :line => 3, #This should be line 4 :(
      :message => /^Possible SQL injection/,
      :confidence => 0,
      :file => /test_sql\.html\.erb/
  end

  def test_sql_injection_via_if
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",
      :line => 32,
      :message => /^Possible SQL injection near line 32: User.where/,
      :confidence => 0,
      :file => /user\.rb/
  end

  def test_sqli_in_unusual_model_name
    assert_warning :type => :warning,
      :warning_code => 0,
      :warning_type => "SQL Injection",
      :line => 3,
      :message => /^Possible\ SQL\ injection/,
      :confidence => 1,
      :file => /underline_model\.rb/
  end

  def test_sql_injection_delete_all
    assert_warning :type => :warning,
      :warning_code => 0,
      :fingerprint => "6ae0b599e368b7658cfe3772ab0823d68247796b3718eaa6c1228897d633e0a2",
      :warning_type => "SQL Injection",
      :line => 57,
      :message => /^Possible\ SQL\ injection/,
      :confidence => 0,
      :relative_path => "app/controllers/other_controller.rb",
      :user_input => s(:call, s(:params), :[], s(:lit, :name))
  end

  def test_sql_injection_destroy_all
    assert_warning :type => :warning,
      :warning_code => 0,
      :fingerprint => "0631b0564dfe4bb760c250e1de7f0678dd28e5be5c54841fa8581ac3bf2ffaaf",
      :warning_type => "SQL Injection",
      :line => 58,
      :message => /^Possible\ SQL\ injection/,
      :confidence => 0,
      :relative_path => "app/controllers/other_controller.rb",
      :user_input => s(:call, s(:call, s(:const, :User), :current), :humanity)
  end

  def test_sql_injection_to_s_value
    assert_warning :type => :warning,
      :warning_code => 0,
      :fingerprint => "92eae7165aea8653ce37be36b5a843114fd7d6ce61f272db03239dfdaa151ee8",
      :warning_type => "SQL Injection",
      :line => 64,
      :message => /^Possible\ SQL\ injection/,
      :confidence => 1,
      :relative_path => "app/controllers/other_controller.rb",
      :user_input => s(:call, nil, :product_action_type_key)

    assert_warning :type => :warning,
      :warning_code => 0,
      :fingerprint => "6066950e19a729359e867b882323ef75334791bdceac75a16f586fc53f3318a0",
      :warning_type => "SQL Injection",
      :line => 68,
      :message => /^Possible\ SQL\ injection/,
      :confidence => 1,
      :relative_path => "app/controllers/other_controller.rb",
      :user_input => s(:lvar, :status)

    assert_no_warning :type => :warning,
      :warning_code => 0,
      :fingerprint => "c36f33e3b004e081622f1829be288ebdad673a7bf04922eb1d2b9a3d701362a1"
  end

  def test_escape_once
    results = find :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 7,
      :message => /^Unescaped parameter value/,
      :confidence => 2,
      :file => /index\.html\.erb/

    assert_equal 0, results.length, "escape_once is a safe method"
  end

  def test_indirect_cookie
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 4,
      :message => /^Unescaped cookie value/,
      :confidence => 2,
      :file => /test_cookie\.html\.erb/
  end

  #Check for params that look like params[:x][:y]
  def test_params_multidimensional
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 10,
      :message => /^Unescaped parameter value/,
      :confidence => 0,
      :file => /test_params\.html\.erb/
  end

  #Check for cookies that look like cookies[:blah][:blah]
  def test_cookies_multidimensional
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 6,
      :message => /^Unescaped cookie value/,
      :confidence => 0,
      :file => /test_cookie\.html\.erb/
  end

  def test_default_routes
    assert_warning :warning_type => "Default Routes",
      :line => 101,
      :message => /All public methods in controllers are available as actions/,
      :file => /routes\.rb/
  end

  def test_user_input_in_mass_assignment
    assert_warning :warning_type => "Mass Assignment",
      :line => 58,
      :message => /^Unprotected mass assignment/,
      :confidence => 2,
      :file => /home_controller\.rb/
  end

  def test_mass_assignment_in_chained_call
    assert_warning :warning_type => "Mass Assignment",
      :line => 9,
      :message => /^Unprotected mass assignment near line 9: Account.new/,
      :confidence => 0,
      :file => /account\.rb/
  end

  def test_mass_assign_with_strong_params
    assert_no_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 53,
      :message => /^Unprotected\ mass\ assignment/,
      :confidence => 0,
      :file => /other_controller\.rb/
  end

  def test_mass_assignment_first_or_create
    assert_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 114,
      :message => /^Unprotected\ mass\ assignment/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_mass_assignment_first_or_create!
    assert_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 115,
      :message => /^Unprotected\ mass\ assignment/,
      :confidence => 2,
      :file => /home_controller\.rb/
  end

  def test_mass_assignment_first_or_initialize!
    assert_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 116,
      :message => /^Unprotected\ mass\ assignment/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_mass_assignment_update
    assert_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 118,
      :message => /^Unprotected\ mass\ assignment/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_mass_assignment_assign_attributes
    assert_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 119,
      :message => /^Unprotected\ mass\ assignment/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_mass_assignment_with_slice
    assert_no_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 141,
      :message => /^Unprotected\ mass\ assignment/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_mass_assignment_with_only
    assert_no_warning :type => :warning,
      :warning_type => "Mass Assignment",
      :line => 142,
      :message => /^Unprotected\ mass\ assignment/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_translate_bug
    assert_warning :type => :warning,
      :warning_type => "Cross Site Scripting",
      :message => /^Versions before 3.0.11 have a vulnerability/,
      :confidence => 1,
      :file => /Gemfile/
  end

  def test_model_build
    assert_warning :warning_type => "Mass Assignment",
      :line => 73,
      :message => /^Unprotected mass assignment near line 73: User.new.something.something/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_string_buffer_manipulation_bug
    assert_warning :type => :warning,
      :warning_type => "Cross Site Scripting",
      :message => /^Rails 3\.\d\.\d has a vulnerabilty in SafeBuffer. Upgrade to 3.0.12/,
      :confidence => 1,
      :file => /Gemfile/
  end

  def test_rails3_render_partial
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 15,
      :message => /^Unescaped model attribute near line 15: Product/,
      :confidence => 0,
      :file => /_form\.html\.erb/
  end

  def test_xss_content_tag_raw_content
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 8,
      :message => /^Unescaped\ parameter\ value\ in\ content_tag/,
      :confidence => 0,
      :file => /test_content_tag\.html\.erb/
  end

  def test_xss_content_tag_attribute_name
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 14,
      :message => /^Unescaped\ cookie\ value\ in\ content_tag/,
      :confidence => 0,
      :file => /test_content_tag\.html\.erb/
  end

  def test_xss_content_tag_attribute_name_even_with_escape
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 20,
      :message => /^Unescaped\ model\ attribute\ in\ content_tag/,
      :confidence => 0,
      :file => /test_content_tag\.html\.erb/
  end

  def test_xss_content_tag_unescaped_attribute
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 26,
      :message => /^Unescaped\ model\ attribute\ in\ content_tag/,
      :confidence => 0,
      :file => /test_content_tag\.html\.erb/
  end 

  def test_xss_content_tag_in_tag_name
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 32,
      :message => /^Unescaped\ parameter\ value\ in\ content_tag/,
      :confidence => 0,
      :file => /test_content_tag\.html\.erb/
  end

  def test_cross_site_scripting_prepend_filter
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 1,
      :message => /^Unescaped\ parameter\ value/,
      :confidence => 0,
      :file => /use_filter12345\.html\.erb/
  end

  def test_cross_site_scripting_append_filter
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 3,
      :message => /^Unescaped\ model\ attribute/,
      :confidence => 0,
      :file => /use_filter12345\.html\.erb/
  end

  def test_cross_site_scripting_prepend_filter_overwrite
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 5,
      :message => /^Unescaped\ model\ attribute/,
      :confidence => 0,
      :file => /use_filter12345\.html\.erb/
  end

  def test_cross_site_scripting_prepend_filter_overwrite_2
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 8,
      :message => /^Unescaped\ model\ attribute/,
      :confidence => 0,
      :file => /use_filter12345\.html\.erb/
  end

  def test_cross_site_scripting_model_in_tag_name
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 35,
      :message => /^Unescaped\ model\ attribute\ in\ content_tag/,
      :confidence => 0,
      :file => /test_content_tag\.html\.erb/
  end

  def test_cross_site_scripting_request_parameters
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 20,
      :message => /^Unescaped\ parameter\ value/,
      :confidence => 0,
      :file => /test_params\.html\.erb/
  end

  def test_cross_site_scripting_in_nested_controller
    assert_warning :type => :template,
      :warning_code => 2,
      :warning_type => "Cross Site Scripting",
      :line => 1,
      :message => /^Unescaped\ parameter\ value/,
      :confidence => 0,
      :file => /so_nested\.html\.erb/
  end

  def test_cross_site_scripting_from_parent
    assert_warning :type => :template,
      :warning_code => 2,
      :fingerprint => "1e860da2c9a0cac3d898f3c4327877b3bdfa391048a19bfd6f55d6e283cc5b33",
      :warning_type => "Cross Site Scripting",
      :line => 1,
      :message => /^Unescaped\ parameter\ value/,
      :confidence => 0,
      :relative_path => "app/views/child/action_in_child.html.erb"
  end

  def test_cross_site_scripting_select_tag_CVE_2012_3463
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 3,
      :message => /^Upgrade\ to\ Rails\ 3\.0\.17,\ 3\.0\.3\ select_ta/,
      :confidence => 0,
      :file => /test_select_tag\.html\.erb/
  end

  def test_cross_site_scripting_single_quotes_CVE_2012_3464
    assert_warning :type => :warning,
      :warning_type => "Cross Site Scripting",
      :message => /^Rails\ 3\.0\.3\ does\ not\ escape\ single\ quote/,
      :confidence => 1,
      :file => /Gemfile/
  end

  def test_CVE_2012_3424
    assert_warning :type => :warning,
      :warning_type => "Denial of Service",
      :message => /^Vulnerability\ in\ digest\ authentication\ \(/,
      :confidence => 0,
      :file => /Gemfile/
  end

  def test_strip_tags_CVE_2012_3465
    assert_warning :type => :warning,
      :warning_type => "Cross Site Scripting",
      :message => /^Versions\ before\ 3\.0\.10\ have\ a\ vulnerabil/,
      :confidence => 0,
      :file => /Gemfile/
  end

  def test_mail_link_CVE_2011_0446
    assert_warning :type => :template,
      :warning_code => 32,
      :fingerprint => "ca5cb14e201255ecf4904957bba2e12eab64ea2d31c26d7150a431dcdae2f206",
      :warning_type => "Mail Link",
      :line => 1,
      :message => /^Vulnerability\ in\ mail_to\ using\ javascrip/,
      :confidence => 0,
      :file => /Gemfile/
  end

  def test_sql_injection_CVE_2013_0155
    assert_warning :type => :warning,
      :warning_type => "SQL Injection",
      :message => /CVE-2013-0155/,
      :confidence => 0,
      :file => /Gemfile/
  end

  def test_remote_code_execution_CVE_2013_0156_fix
    assert_no_warning :type => :warning,
      :warning_type => "Remote Code Execution",
      :message => /^Rails\ 3\.0\.3\ has\ a\ remote\ code\ execution\ /,
      :confidence => 0,
      :file => /Gemfile/
  end

  def test_remote_code_execution_CVE_2013_0277_protected
    assert_warning :type => :model,
      :warning_type => "Remote Code Execution",
      :message => /^Serialized\ attributes\ are\ vulnerable\ in\ /,
      :confidence => 1,
      :file => /product\.rb/
  end

  def test_remote_code_execution_CVE_2013_0277_accessible
    assert_warning :type => :model,
      :warning_type => "Remote Code Execution",
      :message => /^Serialized\ attributes\ are\ vulnerable\ in\ /,
      :confidence => 1,
      :file => /purchase\.rb/
  end

  def test_remote_code_execution_CVE_2013_0277_unprotected
    assert_warning :type => :model,
      :fingerprint => "b85602475eb048cfe7941b5952c3d5a09a7d9d0607f81fbf2b7578d1055fec90",
      :warning_type => "Remote Code Execution",
      :message => /^Serialized\ attributes\ are\ vulnerable\ in\ /,
      :confidence => 0,
      :file => /user\.rb/
  end

  def test_remote_code_execution_CVE_2013_0333
    assert_warning :type => :warning,
      :warning_type => "Remote Code Execution",
      :message => /^Rails\ 3\.0\.3\ has\ a\ serious\ JSON\ parsing\ v/,
      :confidence => 0,
      :file => /Gemfile/
  end 

  def test_denial_of_service_CVE_2013_0269
    assert_warning :type => :warning,
      :warning_type => "Denial of Service",
      :message => /^json_pure\ gem\ version\ 1\.6\.4\ has\ a\ symbol/,
      :confidence => 0,
      :file => /Gemfile/
  end

  def test_xss_CVE_2013_1857
    assert_warning :type => :warning,
      :warning_type => "Cross Site Scripting",
      :line => 40,
      :message => /^Rails\ 3\.0\.3\ has\ a\ vulnerability\ in\ sanit/,
      :confidence => 0,
      :file => /user\.rb/
  end

  def test_xml_jruby_parsing_CVE_2013_1856
    if RUBY_PLATFORM == 'java'
      assert_warning :type => :warning,
        :warning_type => "File Access",
        :message => /^Rails\ 3\.0\.3\ with\ JRuby\ has\ a\ vulnerabili/,
        :confidence => 0,
        :file => /Gemfile/
    end
  end

  def test_denial_of_service_CVE_2013_1854
    assert_no_warning :type => :warning,
      :warning_code => 55,
      :fingerprint => "2746b8872d4f46676a8c490a7ac906d23f6b11c9d83b6371ff5895139ec7b43b",
      :warning_type => "Denial of Service",
      :message => /^Rails\ 3\.0\.3\ has\ a\ denial\ of\ service\ vul/,
      :confidence => 1,
      :file => /Gemfile/
  end

  def test_denial_of_service_CVE_2013_6414
    assert_warning :type => :warning,
      :warning_code => 64,
      :fingerprint => "a7b00f08e4a18c09388ad017876e3f57d18040ead2816a2091f3301b6f0e5a00",
      :warning_type => "Denial of Service",
      :message => /^Rails\ 3\.0\.3\ has\ a\ denial\ of\ service\ vuln/,
      :confidence => 1,
      :relative_path => "Gemfile"
  end

  def test_number_to_currency_CVE_2014_0081
    assert_warning :type => :warning,
      :warning_code => 73,
      :fingerprint => "f6981b9c24727ef45040450a1f4b158ae3bc31b4b0343efe853fe12c64881695",
      :warning_type => "Cross Site Scripting",
      :line => nil,
      :message => /^Rails\ 3\.0\.3\ has\ a\ vulnerability\ in\ numbe/,
      :confidence => 1,
      :relative_path => "Gemfile",
      :user_input => nil
  end

  def test_sql_injection_CVE_2013_6417
    assert_warning :type => :warning,
      :warning_code => 69,
      :fingerprint => "e1b66f4311771d714a13be519693c540d7e917511a758827d9b2a0a7f958e40f",
      :warning_type => "SQL Injection",
      :line => nil,
      :message => /^Rails\ 3\.0\.3\ contains\ a\ SQL\ injection\ vul/,
      :confidence => 0,
      :relative_path => "Gemfile",
      :user_input => nil
  end

  def test_http_only_session_setting
    assert_warning :type => :warning,
      :warning_type => "Session Setting",
      :line => 3,
      :message => /^Session\ cookies\ should\ be\ set\ to\ HTTP\ on/,
      :confidence => 0,
      :file => /session_store\.rb/
  end

  def test_secure_only_session_setting
    assert_warning :type => :warning,
      :warning_type => "Session Setting",
      :line => 3,
      :message => /^Session\ cookie\ should\ be\ set\ to\ secure\ o/,
      :confidence => 0,
      :file => /session_store\.rb/
  end

  def test_session_secret_token
    assert_no_warning :type => :warning,
      :warning_type => "Session Setting",
      :line => 7,
      :message => /^Session\ secret\ should\ not\ be\ included\ in/,
      :confidence => 0,
      :file => /secret_token\.rb/
  end

  def test_remote_code_execution_yaml_load_params_interpolated
    assert_warning :type => :warning,
      :warning_type => "Remote Code Execution",
      :line => 106,
      :message => /^YAML\.load\ called\ with\ parameter\ value/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_remote_code_execution_yaml_load_params
    assert_warning :type => :warning,
      :warning_type => "Remote Code Execution",
      :line => 123,
      :message => /^YAML\.load\ called\ with\ parameter\ value/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end

  def test_remote_code_execution_yaml_load_indirect_cookies
    assert_warning :type => :warning,
      :warning_type => "Remote Code Execution",
      :line => 125,
      :message => /^YAML\.load\ called\ with\ cookie\ value/,
      :confidence => 1,
      :file => /home_controller\.rb/
  end

  def test_remote_code_execution_yaml_load_model_attribute
    assert_warning :type => :warning,
      :warning_type => "Remote Code Execution",
      :line => 126,
      :message => /^YAML\.load\ called\ with\ model\ attribute/,
      :confidence => 1,
      :file => /home_controller\.rb/
  end

  def test_remote_code_execution_yaml_load_documents
    assert_warning :type => :warning,
      :warning_type => "Remote Code Execution",
      :line => 130,
      :message => /^YAML\.load_documents\ called\ with\ paramete/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end


  def test_remote_code_execution_yaml_load_stream
    assert_warning :type => :warning,
      :warning_type => "Remote Code Execution",
      :line => 131,
      :message => /^YAML\.load_stream\ called\ with\ cookie\ value/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end


  def test_remote_code_execution_yaml_parse_documents
    assert_warning :type => :warning,
      :warning_type => "Remote Code Execution",
      :line => 132,
      :message => /^YAML\.parse_documents\ called\ with\ paramet/,
      :confidence => 0,
      :file => /home_controller\.rb/
  end


  def test_remote_code_execution_yaml_parse_stream
    assert_warning :type => :warning,
      :warning_type => "Remote Code Execution",
      :line => 133,
      :message => /^YAML\.parse_stream\ called\ with\ model\ attr/,
      :confidence => 1,
      :file => /home_controller\.rb/
  end
end